DruckFin

SentinelOne Posts Record Net New ARR as Layoffs Signal a Leaner Growth Model

Q1 FY2027 Earnings Call, May 28, 2026

SentinelOne delivered its strongest quarter in years on the bookings front, recording $44 million in net new ARR, a 55% year-over-year increase and a new company record. That momentum, however, is now being paired with a deliberate organizational reset: an 8% workforce reduction that management insists is strategic rather than defensive. Together, these two data points define the story of where SentinelOne stands today — a platform business reaching genuine inflection on growth metrics while simultaneously acknowledging it had been carrying excess organizational weight.

ARR Acceleration Is the Real Headline

Total ARR growth accelerated to 23% in Q1, the first acceleration in more than three years according to analyst calculations on the call. Revenue grew 21% year-over-year to $277 million, with international markets growing faster at 25% and representing 39% of total revenue. The net new ARR figure of $44 million marked the fourth consecutive quarter of positive net new ARR growth while exceeding expectations, and Guggenheim's John DiFucci noted on the call that even adjusting for attrition, gross new ARR was the best in almost four years. Remaining performance obligations grew 30% to a record $1.5 billion, a figure that provides meaningful forward revenue visibility.

Perhaps the most structurally significant disclosure in the quarter was this: for the first time, ARR from non-endpoint solutions approached 50% of total ARR. That is a genuine inflection in business mix, reflecting the multi-product expansion strategy that management has been articulating for several years. ARR per customer reached a record high, and for customers spending $100,000 or more annually, net revenue retention improved both sequentially and year-over-year to above 110%, a figure CFO Sonalee Parekh highlighted as particularly meaningful given it had previously been a drag on the story.

The 8% Workforce Cut: Efficiency Play or Admission of Excess?

The workforce reduction is the most operationally consequential announcement of the quarter and deserves scrutiny. Management framed it as deliberate evolution rather than reaction to business stress. "This is not a reactive measure. It is a deliberate evolution to reduce complexity, raise the performance bar and build a leaner, more agile SentinelOne," CEO Tomer Weingarten said. The company expects to incur a one-time restructuring charge of approximately $25 million in Q2, excluded from non-GAAP results, and expects approximately $45 million in annualized cost savings once fully implemented.

Weingarten was specific in noting that the cuts are not meaningfully hitting R&D or product groups — the emphasis is on streamlining go-to-market and reducing organizational layers. When pressed on potential sales disruption in Q2, he was direct: "We don't expect any go-to-market disruption. This comes off natural performance management, folks that may not have been the biggest contributors." Whether that assessment proves accurate will be visible in Q2 net new ARR, which the company did not guide to explicitly but implied would remain positive for the full year.

Parekh added important context on where the savings are going. Sales and marketing as a percentage of revenue fell from 47% a year ago to 39% in Q1, a 800 basis point improvement that is already flowing through the model ahead of the formal restructuring. The full-year operating margin guide was raised to 10% at the midpoint, representing 650 to 700 basis points of year-over-year improvement, with the Q4 exit rate implied to be meaningfully above that level.

AI Security Is Moving From Talking Point to Revenue Driver

Prompt Security, the AI security product SentinelOne acquired, is becoming a credible growth catalyst. AI security ARR "nearly doubled again" sequentially in Q1, a phrase used twice in the prepared remarks. Weingarten described Prompt as "the only enterprise-grade scalable solution capable of securing AI at this level," and the call included several win examples that illustrated both the land-and-expand logic and the competitive displacement potential. In one instance, an enterprise chose Prompt over what Weingarten described as an incomplete AI offering from an incumbent next-generation endpoint vendor, with the win opening a broader displacement opportunity. In another, a U.S. state government selected SentinelOne to secure AI infrastructure across sensitive government systems — one of the first government deals led by AI security rather than traditional endpoint or SIEM.

UBS analyst Roger Boyd noted strong channel feedback on Prompt, and Weingarten confirmed the thesis: "Prompt is delivering the capability that every single enterprise needs right now that none of our competitors have." He also noted that the majority of SentinelOne's existing customer base has not yet deployed Prompt, which means the near-term opportunity for within-base expansion is still largely untapped. The company is actively working to enable Prompt adoption through the platform directly to accelerate that absorption.

SentinelOne also launched Singularity AI Red Teaming in May, a product designed to autonomously stress-test AI applications against real-world attack scenarios before they reach production. Weingarten described the logic clearly: "Red Teaming discovers the vulnerabilities in development, and our core platform seamlessly blocks them at runtime. We are now delivering AI security from the first line of code through execution." The product is designed to create a complementary land-and-expand motion with the core platform.

Purple AI: Agentic SOC Claims Are Getting Quantified

Purple AI, SentinelOne's agentic security operations product, reached general availability of its auto-investigations feature in Q1. The company cited an IDC study finding a 338% ROI for Purple AI customers. More interesting for investors is the scale economics Weingarten described: "In several early rollouts, we are seeing instances where ARR from Purple AI's end-to-end deployment can outgrow a customer's core endpoint footprint." If that dynamic holds at scale, Purple becomes a material revenue multiplier on the installed base rather than just an attach product. The company sees particular opportunity with MSSPs, where Purple's efficiency gains translate directly into operating leverage for the service provider.

Data and Cloud ARR Acceleration Continues

Q1 marked the fourth consecutive quarter of data ARR growth acceleration, driven by AI SIEM demand. The company disclosed a competitive win against Splunk with a luxury brand committing to a multiyear AI SIEM deployment, and a multinational services enterprise signed a seven-figure expansion replacing an existing SIEM provider. An IDC study cited on the call showed SentinelOne's AI SIEM delivering a 331% three-year ROI with a seven-month payback period, with customers seeing 70% faster queries and 75% faster investigations.

Cloud security ARR also accelerated in Q1, with Weingarten pointing to runtime security as the differentiating capability versus static posture management. One of the most valuable private companies globally — described as soon to go public — significantly expanded its SentinelOne footprint in the quarter for runtime protection of AI workloads. Weingarten's broader point is structural: "Static cloud visibility was simply insufficient. This enterprise doubled down on Singularity cloud for autonomous AI-powered runtime protection capable of actively neutralizing AI-based threats across their dynamic infrastructure in real time."

SentinelOne Flex Crosses $200 Million TCV in Three Quarters

SentinelOne Flex, the company's consumption-based purchasing model, crossed $200 million in total contract value in just three quarters since launch. Management highlighted that Flex is increasingly driving larger deals, with seven- and eight-figure commitments and longer-term contracts becoming more common. The model is also being paired with prepaid structures for token-based AI product usage, creating what Weingarten described as "a durable hybrid model — a reliable baseline with meaningful expansion opportunity levered on top." The Level Blue MSSP partnership announced at RSA is emblematic of this approach, with tens of millions of endpoints expected to migrate to the Singularity platform over the coming years through a single partnership rather than individual customer sales motions.

Guidance Maintained, But Back-Half Weighting Is a Flag to Watch

Full-year revenue guidance was reiterated at $1.195 billion to $1.205 billion, representing 20% growth at the midpoint. Q2 revenue is guided at $289 million to $291 million, also 20% growth. Parekh acknowledged on the call that Q1 saw a back-end loaded deal structure, a dynamic she expects to continue as larger deals make up a greater proportion of bookings. That loading pattern means investors should not automatically extrapolate Q1's record net new ARR directly into the full-year revenue trajectory — Parekh was careful to note the timing difference between ARR and revenue recognition, particularly as deal sizes grow and contracts extend. Full-year operating income guidance was raised to $115 million to $125 million, up from prior guidance, representing a 10% operating margin at the midpoint and a more than 700 basis point year-over-year improvement. Full-year EPS guidance is $0.32 to $0.38.

New CFO Brings Operational Rigor Into Focus

Sonalee Parekh's first earnings call as CFO offered a cleaner articulation of the financial priorities than SentinelOne investors have heard in some time. She was pointed on where she sees the largest opportunity for efficiency: "Sales and marketing, where I see the largest opportunity for productivity improvement." She also stated explicitly that the company intends to put itself "firmly on the path to Rule of 40" through a combination of durable growth and margin expansion, with GRR stability and improving NRR in the $100,000-plus cohort as the twin metrics she is managing against. On capital allocation, she confirmed that share repurchases are on the table given the company's $812 million cash position and no debt, characterizing the policy as "dynamic and opportunistic" and noting that at current share price levels, buybacks represent a positive ROI initiative in management's view.

SentinelOne, Inc. Deep Dive

The Autonomous Ascent

SentinelOne operates in the critical, high-stakes domain of cybersecurity, fundamentally anchored in endpoint detection and response. At its core, the company monetizes the Singularity Platform, a unified architecture that delivers autonomous protection across endpoints, cloud workloads, and identity layers. Unlike legacy antivirus solutions that rely on signature-based detection, SentinelOne engineered its platform around behavioral artificial intelligence. The system monitors processes at the kernel level, identifying anomalous activity and intercepting threats in real time. The company operates on a pure software-as-a-service subscription model, recognizing revenue ratably over the contract life. This model is tracked primarily through Annualized Recurring Revenue, which successfully breached the $1.16 billion mark in the first quarter of fiscal 2027, growing 23 percent year-over-year. As enterprises scale their digital footprints, SentinelOne’s pricing scales correspondingly, expanding via module attachments, data ingestion volumes, and seat counts.

Historically pigeonholed as a pure-play endpoint vendor, SentinelOne has successfully transitioned into a broader security ecosystem. The Singularity Data Lake underpins this shift, allowing enterprises to ingest massive volumes of security telemetry at query speeds and storage costs that fundamentally undercut legacy security information and event management systems. This expanded product suite is now driving the economic engine. In recent quarters, over half of the company's new annual recurring revenue has been generated from emerging, non-endpoint solutions such as data analytics, cloud security, and artificial intelligence toolsets. By embedding extended detection and response capabilities directly into the data lake, SentinelOne provides chief information security officers with a single pane of glass to investigate multi-domain threats without resorting to exorbitant, fragmented data silos.

Ecosystem Dynamics

SentinelOne operates in an intensely consolidated, high-stakes market catering to a diverse end-customer base that spans from small-to-medium businesses to the Fortune 500 and heavily regulated federal agencies. The company’s go-to-market motion relies extensively on channel partners. A critical lever of its growth is its deep integration with Managed Security Service Providers. These partners bundle SentinelOne’s autonomous software into broader managed service offerings, granting the company highly efficient distribution into the mid-market without the burdensome customer acquisition costs associated with a massive direct enterprise sales force. At the enterprise level, the company currently secures over 1,700 customers generating more than $100,000 in annual recurring revenue, reflecting strong upmarket traction.

The competitive landscape is dominated by a tight oligopoly. SentinelOne holds an estimated 9 percent share of the endpoint protection market, making it the fourth-largest player globally, but it faces formidable headwinds from industry titans. Its most direct architectural and commercial rival is CrowdStrike, which commands an imposing $5.25 billion in annual recurring revenue and continues to grow at roughly 24 percent year-over-year. Microsoft constitutes the other primary antagonist, leveraging its ubiquitous enterprise agreements to bundle Defender into E5 software licenses, creating immense pricing pressure at the lower and middle tiers of the market. Palo Alto Networks also exerts significant gravity at the enterprise level with its Cortex extended detection and response platform, forcing a consolidation narrative. SentinelOne’s primary supplier dependencies are minimal, largely restricted to cloud infrastructure providers like Google Cloud and Amazon Web Services for data hosting, though its fundamental value proposition remains untethered to continuous cloud connectivity.

The Margin of Machine Speed

SentinelOne’s definitive competitive advantage resides in its decentralized, on-device AI architecture. Competing platforms, most notably CrowdStrike, utilize a lightweight agent that relies heavily on streaming telemetry to a centralized cloud intelligence graph to execute detections, supplemented by human threat-hunting teams. SentinelOne’s Singularity agent, conversely, processes behavioral AI inferencing locally on the endpoint. This structural distinction means SentinelOne can autonomously detect and kill threats, and instantly initiate a one-click ransomware rollback, even when the endpoint is entirely air-gapped or experiencing degraded network connectivity. This technological autonomy significantly reduces the operational burden on a client's security operations center.

This localized intelligence yields an economic advantage that manifests directly in SentinelOne's margin profile. Because the platform relies on algorithmic autonomy rather than an army of human analysts or exorbitant continuous cloud-compute queries, SentinelOne is able to offer highly disruptive total cost of ownership to its customers while preserving a non-GAAP gross margin of 77 percent. Furthermore, as data retention requirements for regulatory compliance explode, the Singularity Data Lake offers a cost-to-performance ratio that legacy data platforms struggle to match. This architectural elegance creates a high barrier to entry and a sticky product ecosystem, evidenced by historically strong gross retention rates and the ability to systematically upsell adjacent modules into the installed base.

The Platformization Battlefield

The foremost threat to SentinelOne is the aggressive industry shift toward platformization. As chief information security officers face budgetary constraints and tool sprawl, mega-vendors like Palo Alto Networks are offering extreme commercial incentives to consolidate network, cloud, and endpoint security under a single vendor umbrella. If enterprise buyers prioritize vendor consolidation over best-of-breed endpoint efficacy, SentinelOne risks being isolated in procurement cycles. Furthermore, macroeconomic headwinds and extended sales cycles continue to pressure software spending, a reality reflected in SentinelOne’s decision to execute an 8 percent workforce reduction in the first quarter of fiscal 2027 to protect its operating leverage.

Conversely, the same industry dynamics present a vast opportunity. The recent global supply chain and IT outages caused by human-in-the-loop updates from competitors have highlighted the inherent risks of monolithic, cloud-dependent architectures. SentinelOne is uniquely positioned to capitalize on enterprises seeking architectural redundancy and operational resilience. Furthermore, the company’s recent achievement of FedRAMP High and GovRAMP authorizations unlocks a highly lucrative public sector market. As federal agencies mandated by zero-trust directives seek to replace legacy antivirus frameworks, SentinelOne possesses the requisite compliance credentials and offline autonomy specifically suited for defense and intelligence environments.

Securing the AI Frontier

To sustain its growth trajectory against much larger incumbents, SentinelOne has aggressively expanded its product perimeter via organic development and strategic acquisitions. The launch of Purple AI represents a leap in security operations efficiency. Functioning as a generative AI security analyst, Purple AI translates natural language into complex querying syntax, automates threat hunting, and generates comprehensive incident summaries. Management notes that Purple AI has achieved an attach rate exceeding 50 percent on new licenses, proving highly monetizable and critical for lowering the barrier to entry for junior security analysts.

More critically, SentinelOne is attacking the cloud and generative AI security markets. The 2024 acquisition of PingSafe brought essential Cloud-Native Application Protection Platform capabilities in-house, marrying agentless cloud posture management with SentinelOne’s agent-based runtime protection. Realizing that AI itself is the new enterprise attack surface, SentinelOne acquired Prompt Security in late 2025 for roughly $180 million, followed by Observo. Prompt Security allows SentinelOne to pioneer security for AI, providing runtime protection against prompt injections, sensitive data leakage to large language models, and shadow AI usage. By extending Singularity to monitor intelligent agents and generative AI integrations in real time, SentinelOne is successfully positioning itself not just as a defender leveraging AI, but as the foundational security layer for enterprise AI adoption.

Cloud-Native Challengers

While the endpoint market features established incumbents, SentinelOne’s pivot toward cloud security brings it into direct conflict with a new breed of highly capitalized, cloud-native entrants. The most formidable of these is Wiz. Having scaled past $500 million in annual recurring revenue faster than any cybersecurity company in history, Wiz dominates the agentless cloud security posture management space. Wiz’s frictionless, API-driven deployment model bypasses traditional endpoint agent friction entirely, capturing immense mindshare among cloud architects and DevOps teams. To defend its flank and successfully monetize its PingSafe acquisition, SentinelOne must prove to the market that a unified platform combining deep endpoint runtime telemetry with agentless cloud scanning provides superior security outcomes compared to Wiz’s cloud-only orientation.

Execution at the Helm

Under the continuous stewardship of co-founder and Chief Executive Officer Tomer Weingarten, SentinelOne has executed a remarkably difficult transition from a cash-burning hyper-growth startup to a disciplined, billion-dollar enterprise. Management’s track record over the past two years is defined by a rigorous adherence to the Rule of 40 framework. In fiscal 2026, the executive team delivered on their most vital promise to Wall Street, achieving the company’s first full year of non-GAAP operating profitability and positive free cash flow, a stark reversal from the deep operating deficits of its post-IPO years.

Weingarten has strategically augmented his executive bench to support this scale, notably bringing on Ana Pinczuk as President of Product and Technology in 2025 to drive the integration of recent acquisitions into a seamless platform. However, the operational pivot has required hard choices. The transition to interim Chief Financial Officer Barry Padgett late in fiscal 2026, coupled with the recent 8 percent structural workforce reduction, indicates that management is aggressively managing costs in response to a decelerating net new ARR environment. While these maneuvers demonstrate a mature commitment to sustainable margin expansion, they also underscore the unforgiving execution required to fund aggressive research and development while appeasing public market profitability demands.

The Scorecard

SentinelOne has firmly established itself as a premier, technologically differentiated asset in the cybersecurity landscape. Its foundational architecture, which pushes autonomous artificial intelligence directly to the endpoint, provides a tangible performance and cost advantage over cloud-reliant peers. Management’s successful pivot toward non-GAAP profitability, combined with a forward-looking product roadmap that proactively secures generative AI applications through timely acquisitions, proves the company can innovate beyond its legacy endpoint roots. The fact that non-endpoint solutions now drive the majority of new recurring revenue confirms the viability of its broader platform strategy.

However, the structural realities of the cybersecurity market mandate caution. SentinelOne is competing in an arena where scale begets scale, and its principal rivals boast revenue bases four to five times larger, armed with massive sales forces and aggressive bundling strategies. The prevailing enterprise trend toward vendor consolidation favors the broadest platforms, threatening to relegate best-of-breed operators to secondary status if they cannot encompass the entire network and cloud continuum. SentinelOne offers a compelling, highly advanced technological mousetrap, but its ultimate trajectory will depend on out-innovating behemoths without exhausting its newly minted profit margins.

Read Next

Sivers Semiconductors: Pipeline Rockets to $800M But Near-Term Revenue Remains Elusive as FX and Defense Delays Bite

2026-05-31

Tempus AI: A Valuation Paradox as Foundation Model Performance and Tumor-Only FDA Approval Reframe the Growth Story

2026-05-31

Phreesia Deep Dive

2026-05-31

WhiteHawk Minerals Deep Dive

2026-05-30

Sunshine Silver Mining & Refining Deep Dive

2026-05-30

Safepoint Holdings Deep Dive

2026-05-30
Disclaimer: This article is for informational purposes only and does not constitute investment advice or a recommendation to buy, sell, or hold any security. Our analysts provide detailed coverage of corporate events but can make mistakes, always conduct your own due diligence. The views and opinions expressed do not necessarily reflect those of DruckFin. We have not independently verified all information used herein, and it may contain errors or omissions. Before making any investment decision, consult a qualified financial advisor. DruckFin and its affiliates disclaim any liability for any losses arising from reliance on this content. For full terms, see our Terms of Use.